diff --git a/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass b/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass index 11dd9c6..050dcd6 100644 --- a/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass +++ b/layers/meta-belden-coreos/classes/coreos-image-swupdate.bbclass @@ -69,5 +69,11 @@ def coreos_swupdate_extends(d, s, key): return text +# Signature support +inherit coreos-efi-secureboot +SWUPDATE_SIGNING = "CMS" +SWUPDATE_CMS_KEY = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.key" +SWUPDATE_CMS_CERT = "${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt" + COREOS_IMAGE_SWUPDATE_EXTRACLASSES ?= "" inherit ${COREOS_IMAGE_SWUPDATE_EXTRACLASSES} diff --git a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh index c9a0166..9b2ec54 100644 --- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh +++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/25-sw-collections-config.sh @@ -37,3 +37,6 @@ case $ROOT_PARTLABEL in exit 1 ;; esac + +echo "Public key used to verify software image is /usr/lib/swupdate/swupdate.crt" +SWUPDATE_ARGS="${SWUPDATE_ARGS} -k /usr/lib/swupdate/swupdate.crt" diff --git a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig index d8a2a88..23f4fc8 100644 --- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig +++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate/defconfig @@ -24,3 +24,7 @@ CONFIG_DISKPART=y CONFIG_DISKPART_FORMAT=y CONFIG_FAT_FILESYSTEM=y CONFIG_EXT_FILESYSTEM=y +CONFIG_SIGNED_IMAGES=y +CONFIG_SIGALG_RAWRSA=n +CONFIG_SIGALG_CMS=y +CONFIG_CMS_IGNORE_CERTIFICATE_PURPOSE=y diff --git a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend index b45fca4..3e76bd8 100644 --- a/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend +++ b/layers/meta-belden-coreos/recipes-support/swupdate/swupdate_%.bbappend @@ -37,9 +37,12 @@ RRECOMMENDS:${PN} += "${PN}-coreos-config" # configuration to be installed RCONFLICTS:${PN}-coreos-installer-config = "${PN}-coreos-config" +inherit coreos-efi-secureboot + do_install:append() { # Probably replace revision with the value of the device tree install -m 755 ${WORKDIR}/50-webserver-config.sh ${D}${libdir}/swupdate/conf.d/ install -m 755 ${WORKDIR}/25-sw-collections-config.sh ${D}${libdir}/swupdate/conf.d/ + install -m 755 ${COREOS_EFI_SECUREBOOT_KEYDIR}/swupdate.crt ${D}${libdir}/swupdate/ echo "${MACHINE} 1.0" > ${D}${sysconfdir}/hwrevision } diff --git a/scripts/coreos-keygen b/scripts/coreos-keygen index e270634..1c132be 100755 --- a/scripts/coreos-keygen +++ b/scripts/coreos-keygen @@ -108,3 +108,7 @@ echo "Generatic DER files with PK, KEK et db public key" check_files_exist PK.der || openssl x509 -in PK.crt -outform der -out PK.der check_files_exist KEK.der || openssl x509 -in KEK.crt -outform der -out KEK.der check_files_exist db.der || openssl x509 -in db.crt -outform der -out db.der + +# keys needed to sign and verify SWUpdate +check_files_exist swupdate.key swupdate.crt || openssl req -x509 -newkey rsa:4096 -nodes -keyout swupdate.key \ + -out swupdate.crt -subj "/O=SWUpdate /CN=target"